Quickpost Archives | Forensic Blogs

September 10, 2020 by Didier Stevens

Quickpost: dig On Windows

I found out there’s a dig command for Windows.

I group small tools like this inside a bin folder. But dig relies on a set of DLLs, that should also be in the PATH, so I put them in the same bin folder.

These are the DLLs dig.exe needs:

libbind9.dll libcrypto-1_1-x64.dll libdns.dll libirs.dll libisc.dll libisccfg.dll libuv.dll libxml2.dll

I used procmon on my Win10 machine to figure out which DLLs are needed, as you get no error message (there’s probably a registry setting for that).

I do have a Windows 7 VM, that I can also use to figure out which DLLs are missing because it displays an error message:

And you might also need to install the Visual C redistribuable that is included with the downloaded ZIP:

And now I can run dig from my bin folder:

Quickpost info

September 9, 2020 by Didier Stevens

Quickpost: Downloading Files With Windows Defender & User Agent String

@mohammadaskar2 found out you can use Windows Defender to download arbitrary files. Like this:

"c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\mpcmdrun.exe" -DownloadFile -url http://didierstevens.com/index.html -path test.html

This command uses MpCommunication as User Agent String:

Quickpost info

July 11, 2020 by Didier Stevens

Quickpost: curl

Since I learned that Windows 10 has curl pre-installed now, I notice I use it more often.

Here are some quick notes, mainly for myself:

Using Tor:

curl –socks5-hostname 127.0.0.1:9050 http://didierstevens.com

Option socks5-hostname uses SOCKS5 protocol and does name resolution of the hostname via the SOCKS5 protocol (and not local DNS)

Removing the User-Agent header:

curl –header “User-Agent:” http://didierstevens.com

Option –header (-H) can also be used to remove a header: provide the header name with colon, provide no header value.

Using a custom User-Agent header (-A –user-agent):

curl –user-agent “Mozilla/5.0 DidierStevens” http://didierstevens.com

Saving received data:

curl –dump-header 01.headers –output 01.bin.vir –trace 01.trace –trace-time http://didierstevens.com

Option —dump-header (-D) saves the headers, option –output (-o) saves the body, –trace creates a trace file and –trace-time adds timestamps to the trace file.

Option to ignore certificate errors: -k –insecure

Putting it all together:

curl –socks5-hostname 127.0.0.1:9050 –user-agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36” –insecure –dump-header 01.headers –output 01.data –trace 01.trace –trace-time https://didierstevens.com

Quickpost info